Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

(1)

Weak Keys of the Full MISTY1 Block Cipher for

Related-Key Cryptanalysis

⋆

Jiqiang Lu1, Wun-She Yap1,2, and Yongzhuang Wei3,4

1

Institute for Infocomm Research, Agency for Science, Technology and Research 1 Fusionopolis Way, #19-01 Connexis, Singapore 138632

[email protected], [email protected] 2

Faculty of Information Science and Technology, Multimedia University, Melaka 75450, Malaysia

3

Guilin University of Electronic Technology, Guilin City, Guangxi Province 541004, P.R. China

4 _{State Key Laboratory of Information Security, Institute of Software,} Chinese Academy of Sciences, Beijing 100190, P.R. China

walker₋[email protected]

Abstract. The MISTY1 block cipher has a 64-bit block length, a 128-bit user key and a

recommended number of 8 rounds. It is a Japanese CRYPTREC-recommended e-government cipher, an European NESSIE selected cipher, and an ISO international standard. Despite of considerable cryptanalytic efforts during the past fifteen years, there has been no pub-lished cryptanalytic attack on the full MISTY1 cipher algorithm. In this paper, we present related-key differential and related-key amplified boomerang attacks on the full MISTY1 under certain weak key assumptions: We describe 2103.57 weak keys and a related-key dif-ferential attack on the full MISTY1 with a data complexity of 261chosen ciphertexts and a time complexity of 287.94 _{encryptions; and we also describe 2}92 _{weak keys and a related-key} amplified boomerang attack on the full MISTY1 with a data complexity of 260.5chosen plain-texts and a time complexity of 280.18_{encryptions. For the very first time, our results exhibit} a cryptographic weakness in the full MISTY1 cipher (when used with the recommended 8 rounds), and show that the MISTY1 cipher is distinguishable from a random function and thus cannot be regarded to be an ideal cipher.

Key words: Block cipher, MISTY1, Diﬀerential cryptanalysis, Ampliﬁed boomerang attack, Related-key cryptanalysis, Weak key.

1 Introduction

The block cipher MISTY1 [33] was designed by Matsui and published in 1997. It has a 64-bit block length, a 128-bit user key, and a variable number of rounds; the oﬃcially recommended number of rounds is 8. We consider the version of MISTY1 that uses the recommended 8 rounds in this paper, which is also the most widely discussed version so far. MISTY1 has a Feistel structure with a total of ten key-dependent logical functionsFL

— twoFLfunctions at the beginning plus two inserted after every two rounds. It became a CRYPTREC [10] e-government recommended cipher in 2002, and a NESSIE [35] selected block cipher in 2003, and was adopted as an ISO [15] international standard in 2005 and 2010.

MISTY1 has attracted extensive attention since its publication, and its security has been analysed against a wide range of cryptanalytic techniques [1,12,25,26,29,32,38–42]. In summary, the main previously published cryptanalytic results on MISTY1 are as follows. In 2008, Dunkelman and Keller [12] described impossible diﬀerential attacks [3, 23] on 6-round MISTY1 with FL functions and 7-round MISTY1 without FL functions. In the

(2)

Table 1.Main cryptanalytic results on MISTY1

#Rounds FL #Keys Attack Type Data Time Source

6 (1−6) yes 2128 Impossible differential 251CP 2123.4Enc. [12] 6 (1−6) yes 2128 Higer-order differential 253.7CP 264.4Enc. [40, 41] 6 (3−8) yes 2128 _Integral ₂32_CC ₂126.1_Enc. _[38] 7 (1−7) yes 2128 Higer-order differential 254.1CP 2120.7Enc. [41, 42] 7†(2−8) yes 273 Related-key amplified boomerang 254CP 255.3Enc. [29] 8†(1−8) yes 290 _{Related-key amplified boomerang 2}63_CP ₂70_Enc. _[9] 8†(1−8) yes 2105‡ _{Related-key differential} ₂63_CC ₂86.6_Enc. _[11]

full yes 2103.57 Related-key diﬀerential 261CC 287.94Enc. Sect. 4 292 _{Related-key ampliﬁed boomerang 2}60.5_{CP 2}80.18_{Enc. Sect. 5}

†: Exclude the ﬁrst/last two FL functions,‡: There is a ﬂaw, see Section 5 for detail.

same year, Lee et al. [29] gave a related-key amplified boomerang attack [4, 14, 20] on 7-round MISTY1 with FL functions under a class of 273weak key1, and Tsunoo et al. [41] presented a higher-order differential attack [22, 27] on 6 and 7-round MISTY1 with FL functions (without making a weak key assumption). In 2009, Sun and Lai [38] presented an integral attack on 6-round MISTY1 with FL functions, following Knudsen and Wagner’s attack [24] on 5-round MISTY1. Most recently, following Lee et al.’s work, Chen and Dai [9] presented a 7-round related-key amplified boomerang distinguisher with probability 2−118 under a class of 290weak keys and gave a related-key amplified boomerang attack on the 8-round MISTY1 with only the first 8 FL functions; and in [11] they described a 7-round related-key differential characteristic with probability 2−60under a class of 2105 weak keys and finally presented a related-key differential attack on the 8-round MISTY1 with only the last 8 FL functions. So far, there has been no published (non-generic) cryptanalytic attack on the full 8 rounds of MISTY1 yet.

Related-key cryptanalysis [2, 21] assumes that the attacker knows the relationship be-tween one or more pairs of unknown keys; certain current real-world applications may allow for practical related-key attacks, for example, key-exchange protocols and hash functions [17]. Related-key differential cryptanalysis [17] takes advantage of how a spe-cific difference in a pair of inputs of a cipher or function can affect a difference in the pair of outputs of the cipher or function, where the pair of outputs are obtained by encrypt-ing the pair of inputs usencrypt-ing two different keys with a specific difference. The related-key amplified boomerang attack [4, 14, 20] is a combination of related-key cryptanalysis and the amplified boomerang attack [18]; the amplified boomerang attack is a variant of the boomerang attack [43]. Remarkably, under certain weak key assumptions the related-key differential cryptanalysis technique was used in 2009 by Biryukov et al. [8] to obtain the the first cryptanalytic attack on the full version of the AES [36] block cipher with 256 key bits; and the related-key amplified boomerang attack technique was used to yield the first cryptanalytic attacks on the full versions of both AES with 192/256 key bits and KASUMI [16] — a variant of MISTY1, without using a weak key assumption, by Biham et al. [5, 13] and Biryukov et al. [7], respectively.

In this paper, for the very first time we show that the full MISTY1 cipher can be distinguished from a random function (in the related-key model): Building on Chen and Dai’s work described in [9,11], we present related-key differential and amplified boomerang attacks on the full MISTY1 cipher under certain weak key assumptions. First, we spot some flaws in Dai and Chen’s differential cryptanalytic results presented in [11], and find that there are only about 2102.57 weak keys in their weak key class such that their 7-round

(3)

related-key diﬀerential holds, but with probability 2−58_{; and we observe that there are}

also a different class of 2102.57 weak keys under which there exists a 7-round related-key differential with probability 2−58. We use the 7-round related-key differentials to break the full MISTY1. Finally, we find that under the class of 290 weak keys described in [9], Chen and Dai’s 7-round related-key amplified boomerang distinguisher actually has a probability of 2−116, instead of 2−118, which can be used to attack the full MISTY1; and similar results hold for three other classes of weak keys of the same size. Table 1 summarises our and previously published main cryptanalytic results on MISTY1, where CP and CC refer respectively to the numbers of chosen plaintexts and chosen ciphertexts, Enc. refers to the required number of encryption operations of the relevant version of MISTY1, and “yes” means “with FL functions”.

The remainder of the paper is organised as follows. In the next section, we describe the notation, the MISTY1 cipher and the related-key amplified boomerang attack. In Sections 3 and 4 we review Chen and Dai’s cryptanalytic results and give our differential and amplified boomerang cryptanalytic results on MISTY1, respectively. Section 5 concludes this paper.

2 Preliminaries

In this section we give the notation, and brieﬂy describe the MISTY1 cipher and the related-key ampliﬁed boomerang attack.

2.1 Notation

The bits of a value are numbered from left to right, starting with 1. We use the following notation throughout this paper.

⊕ bitwise logical exclusive OR (XOR)

∩ bitwise logical AND

∪ bitwise logical OR

|| bit string concatenation

◦ functional composition. When composing functions X and Y, Y◦X denotes the function obtained by ﬁrst applying X and then Y

2.2 The MISTY1 Block Cipher

MISTY1 [33] employs a complex Feistel structure with a 64-bit block length and a 128-bit user key. It uses the following three functionsFL,FI,FO, which are respectively depicted in Fig. 1-(a), Fig. 1-(b) and Fig. 1-(c) with their respective subkeys to be described below.

– FL:{0,1}32×{0,1}32→ {0,1}32is a key-dependent linear function. IfX= (XL||XR)

is a 32-bit block andY = (Y1||Y2) is a 32-bit block of two 16-bit wordsY1, Y2, then

FL(X, Y) = (XL⊕((XR⊕(XL∩Y1))∪Y2), XR⊕(XL∩Y1)).

– FI:{0,1}16×{0,1}16→ {0,1}16is a non-linear function. IfX= (XL(9 bits)||XR(7 bits))

and Y = (Y1(7 bits)||Y2(9 bits)) are 16-bit blocks, then FI(X, Y) is computed as

fol-lows, whereXL0, XR0,· · ·, XL3, XR3are 9 or 7-bit variables, S9is a 9×9-bit bijective

S-box, S7 is a 7×7-bit bijective S-box, the function Extnd extends from 7 bits to 9

(4)

S9 ⊕ S7 ⊕ ⊕

⊕ S9 ⊕

KIij2

KIij1

⊕ ⊕

∩ ∪

KLi1

KLi2

⊕ ⊕

KOi1

FI_i₁ ⊕ ⊕

KOi2

FI_i₂ ⊕ ⊕

KOi3

FI_i₃ ⊕

KOi4

(a_{) :} FL_i ₍b_{) :} FI_ij

(c_{) :}FO_i

Extnd Trunc Extnd

FL1 FL₂

⊕

FO1

⊕

FO₂

FL3 FL4

⊕

FO3

FL₉ FL₁₀

.. .

(d_{) : MISTY1}

Fig. 1.MISTY1 and its components

1. XL0 =XL, XR0=XR;

2. XL1 =XR0,XR1 = S9(XL0)⊕Extnd(XR0);

3. XL2 =XR1⊕Y2,XR2 = S7(XL1)⊕Trunc(XR1)⊕Y1;

4. XL3 =XR2,XR3 = S9(XL2)⊕Extnd(XR2);

5. FI(X, Y) = (XL3||XR3).

– FO:{0,1}32× {0,1}64× {0,1}48→ {0,1}32is a non-linear function. IfX= (XL||XR)

is a 32-bit block,Y = (Y1||Y2||Y3||Y4) is a 64-bit block of four 16-bit wordsY1, Y2, Y3, Y4,

andZ = (Z1||Z2||Z3) is a 48-bit block of three 16-bit wordsZ1, Z2, Z3, thenFO(X, Y, Z)

is deﬁned as follows, whereXL0, XR0,· · ·, XL3, XR3 are 16-bit variables.

1. XL0 =XL, XR0=XR;

2. For j= 1,2,3:

XLj =XRj−1,XRj =FI(XLj−1⊕Yj, Zj)⊕XRj−1;

3. FO(X, Y, Z) = (XL3⊕Y4)||XR3.

MISTY1 uses a total of ten 32-bit subkeysKL1, KL2,· · ·, KL10 for theFL functions,

twenty-four 16-bit subkeysKIij for theFI functions, and thirty-two 16-bit subkeysKOil

for theFO functions, (16i68,16j63,16l64), all derived from a 128-bit user key

K. The key schedule is as follows.

1. RepresentK as eight 16-bit words K= (K1, K2,· · ·, K8).

2. Generate a diﬀerent set of eight 16-bit wordsK₁′, K₂′,· · ·, K₈′ by

K_i′ =FI(Ki, Ki+1), fori= 1,2,· · ·,8,

where the subscript i+ 1 is reduced by 8 when it is larger than 8, (similar for some subkeys in the following step).

3. The subkeys are as follows.

KOi1=Ki, KOi2=Ki+2, KOi3 =Ki+7, KOi4 =Ki+4; KIi1 =Ki′+5, KIi2 =Ki′+1, KIi3 =Ki′+3;

KLi =Ki+1 2 ||K

′

i+1 2 +6

, fori= 1,3,5,7; otherwise, KLi =K′i

2+2||

Ki

(5)

P

C E1

KA

P∗

C∗

E0

KB

E1

KB

P′

C′

E0

KC

E1

KC

P′∗

C′∗

E0

KD

E1

KD

α α

β β

γ γ

δ δ E0

KA

Fig. 2.A related-key ampliﬁed boomerang distinguisher

MISTY1 takes a 64-bit plaintext P as input, and has a variable number of rounds; the recommended number of rounds is 8. Its encryption procedure is as follows, where

L0, R0,· · ·, Li, Ri are 32-bit variables, KOj = (KOj1||KOj2||KOj3||KOj4), and KIj =

(KIj1||KIj2||KIj3), (j = 1,2,· · ·,8); see Fig. 1-(d).

1. (L0||R0) = (PL||PR).

2. For i= 1,3,5,7:

Ri =FL(Li−1, KLi), Li=FL(Ri−1, KLi+1)⊕FO(Ri, KOi, KIi);

Ri+1 =Li,Li+1=Ri⊕FO(Li, KOi+1, KIi+1).

3. CiphertextC =FL(R8, KL10)||FL(L8, KL9).

We refer to the 8 rounds in the above description as Rounds 1,2,· · ·,8, respectively.

2.3 The Related-Key Ampliﬁed Boomerang Attack

A related-key amplified boomerang attack is based on a related-key amplified boomerang distinguisher, which treats a block cipherE:{0,1}n×{0,1}k → {0,1}nas a cascade of two sub-ciphersE=E1◦E0 and requires that there exists a related-key differential∆α→∆β

with probabilitypforE0: Pr_X_∈{₀_,₁_}n[E0_K

A(X)⊕E 0

KB(X⊕α) =β] = PrX∈{0,1}n[E 0

KC(X)⊕

E0_K

D(X⊕α) =β] =p, and a related-key diﬀerential∆γ→∆δ with probability q forE 1_:

Pr_X_∈{₀_,₁_}n[E1_K

A(X)⊕E 1

KC(X⊕γ) =δ] = PrX∈{0,1}n[E 1

KB (X)⊕E

1

KD(X⊕γ) =δ] = q,

where the four unknown user keys KA, KB, KC, KD satisfy KB = KA⊕∆K0, KC =

KA⊕∆K1 and KD =KC ⊕∆K0, with∆K0 and ∆K1 being two known diﬀerences. See

Fig. 2.

A quartet consisting of two randomly chosen pairs of plaintexts (P, P∗ = P ⊕α) and (P′, P′∗ = P′ ⊕α) satisﬁes E0_K

A(P)⊕E 0

KB(P

∗_{) =} _E0

KC(P

′₎_⊕_E0

KD(P

′∗_{) =} _β _with

probabilityp2. Assuming that the intermediate values afterE0distribute uniformly over all possible values, we getE0_K

A(P)⊕E 0

KC(P

′_{) =}_γ_{with probability 2}−n_{. Once this occurs, then}

E0_K

B(P

∗₎_⊕_E0

KD(P

′∗_{) =}_γ _{holds with probability 1, for}_E0

KB(P

∗₎_⊕_E0

KD(P

′∗_{) = (}_E0

KA(P)⊕

E0_K

B(P

∗₎₎_⊕₍_E0

KC(P

′₎_⊕_E0

KD(P

′∗₎₎_⊕₍_E0

KA(P)⊕E 0

KC(P

′_{)) =}_β_⊕_β_⊕_γ ₌_γ_{. As a result,}

the probability that the quartet satisﬁesEKA(P)⊕EKC(P′) =EKB(P∗)⊕EKD(P′∗) =δ

is expected to be about (Pr(∆α→∆β))2·2−n·(Pr(∆γ→∆δ))2 = 2−n·p2·q2; while for a random cipher, the probability is about 2−n×2= 2−2n.

(6)

Note that in addition to those assumptions [28] used in differential cryptanalysis [6], the related-key amplified boomerang attack requires another assumption about independence, and we refer the reader to [19, 34] for a more formal discussion of the assumptions as well as the attack technique. These assumptions mean that, in some cases, the probability of a related-key amplified boomerang distinguisher may be overestimated or underestimated, and so is the success probability of the attack. Anyway, it seems reasonable to take the worst case assumption from the point of the user of a cipher. An application of such an attack was given by Dunkelman et al. [13] to break the full KASUMI cipher with a practical complexity, and its validity was experimentally verified.

3 2103.57 _{Weak Keys of the Full MISTY1 for a Related-Key Diﬀerential}

Attack

In this section, we first review Dai and Chen’s class of 2105 weak keys and their 7-round related-key differential characteristic with probability 2−60 under the class of weak keys. Then, we show that there are actually only 2102.57weak keys such that the 7-round related-key differential characteristic holds, and it has a probability of 2−58. Next we devise a related-key differential attack on the full MISTY1 when the user key used is a weak key from the class of 2102.57 weak keys. At last we describe another class of 2102.57 weak keys under which similar results hold.

3.1 A Class of 2105 Weak Keys due to Dai and Chen

First deﬁne three constants which will be used subsequently: A 7-bit constanta= 0010000, a 16-bit constantb= 0010000000010000, and another 16-bit constantc= 00100000000000 00, all in binary notation. Observe thatb= (a||02||a) and c= (a||09).

LetKA, KB be two 128-bit user keys deﬁned as follows:

KA= (K1, K2, K3, K4, K5, K6, K7, K8), KB = (K1, K2, K3, K4, K5, K6∗, K7, K8).

By the key schedule of MISTY1 we can get the corresponding eight 16-bit words for

KA, KB, which are denoted as follows.

K_A′ = (K₁′, K₂′, K₃′, K₄′, K₅′, K₆′, K₇′, K₈′), K_B′ = (K₁′, K₂′, K₃′, K₄′, K₅′∗, K₆′∗, K₇′, K₈′).

Then, the class of weak keys is deﬁned to be the set of all possible values for (KA, KB)

that satisfy the following 10 conditions, where K6,12 denotes the 12-th bit of K6, and

similar forK7,3, K7,12, K8,3, K4′,3, K4′,12, K7′,3.

K6⊕K6∗=c; (1)

K₅′ ⊕K₅′∗=b; (2)

K₆′ ⊕K₆′∗=c; (3)

K6,12= 0; (4)

K7,3 = 1; (5)

K7,12= 0; (6)

K8,3 = 1; (7)

K₄′_,₃ = 1; (8)

K₄′_,₁₂= 1; (9)

(7)

Now let us analyse the number of the weak keys. First observe that when Condition (1) holds, then Condition (2) holds with certainty.

Note that K₄′ =FI(K4, K5), K6′ =FI(K6, K7), K6′∗ =FI(K6∗, K7), K7′ =FI(K7, K8).

By performing a computer search, we get

|{(K4, K5)|Conditions (8) and (9)}|= 230;

|{(K6, K7, K8)|Conditions (1),(3),(4),(5),(6),(7) and (10)}|= 227.

Therefore, Dai and Chen [11] concluded that there are a total of 2105 possible values forKAsatisfying the above 10 conditions, and thus there are 2105 weak keys.

3.2 Dai and Chen’s 7-Round Related-Key Diﬀerential Characteristic

Under the class of 2105 weak keys (KA, KB) described in Section 3.1, Dai and Chen

de-scribed the following 7-round related-key diﬀerential characteristic∆α→∆β: (b||032||c)→ (032||c||016) with probability 2−60 for Rounds 2–8, where 032 represents a binary string of 32 zeros, and so on. In Fig. 5 in Appendix A we illustrate the related-key diﬀerential characteristic in detail, whereR4,3 denotes the 3-rd bit ofR4 (the right half of the output

of Round 4), and R4,12 denotes the 12-th bit ofR4.

As a result, Dai and Chen presented a related-key diﬀerential attack on 8-round MISTY1 without the ﬁrst two FL functions, by conducting a key recovery on FO1 in

a way similar to the early abort technique for impossible diﬀerential cryptanalysis intro-duced in [32]

3.3 A Corrected Class of Weak Keys and Improved 7-Round Related-Key

Diﬀerential

We ﬁrst focus on the FI73 function in Dai and Chen’s 7-round related-key diﬀerential

characteristic, where the probability is 2−16. Observe that KI73 = K2′. Dai and Chen

assumed a random distribution when calculating the probability of the diﬀerential ∆c→ ∆cforFI73, and thus obtained a probability value of 2−16, (An alternative explanation is

to consider the two S9S-boxes, each having a probability value of 2−8). However, intuitively

we should make sure that a weak key (KA, KB) should also satisfy the condition that the

differential∆c→∆cis a possible differential forFI73; otherwise, the differential∆c→∆c

would have a zero probability, and the 7-round differential characteristic would be flawed. Thus, we should put the following additional condition when defining a set of weak keys:

Pr_FI₍_·_,K′

2)(∆c→∆c)>0. (11) Motivated by this, we perform a computer programming to test the number of K₂′

satisfying Condition (11), and we ﬁnd that the number ofK₂′ satisfying Condition (11) is equal to 215. As a consequence, we know that the number of (K2, K3) satisfying Condition

(11) is 231_{, thus not all 2}32 _{possible values for (}_K

2, K3) meet Condition (11), so this is

really a flaw in Dai and Chen’s results. Furthermore, we find that for each satisfyingK₂′, there are exactly two pairs of inputs to FI73 which follow the differential ∆c→∆c, that

is to say, the probability Pr_FI₍_·_,K′

2)(∆c → ∆c) = 2

−15_{, twice as large as the probability}

value 2−16 used by Dai and Chen.

Next we focus on the FI21function in Dai and Chen’s 7-round related-key diﬀerential

characteristic, where the probability is 2−16, and KI21 = K7′. Likewise, we should make

sure that a weak key (KA, KB) should also satisfy the condition that the diﬀerential

(8)

a zero probability, and the 7-round differential characteristic would be flawed. Similarly, we should put another condition when defining a set of weak keys:

PrFI(·,K₇′)(∆b→∆c)>0. (12)

By performing a computer programming we ﬁnd that the number of K₇′ satisfying Condition (12) is 24320 ≈ 214.57; on the other hand, the number of K₇′ satisfying Con-ditions (1), (3), (4), (5), (6), (7) and (10) is 215 (and for each satisfying K₇′ there are 212 possible values for (K₆′, K8)), so not all the possible values of K7′ satisfying

Condi-tions (1), (3), (4), (5), (6), (7) and (10) satisfy Condition (12). After a further test, we get that the number ofK₇′ satisfying Conditions (1), (3), (4), (5), (6), (7), (10) and (12) is 12160≈ 213.57. As a result, we know that the number of (K6, K7, K8) satisfying

Con-ditions (1), (3), (4), (5), (6), (7), (10) and (12) is 213.57×212 = 225.57, so this is another ﬂaw in Dai and Chen’s results. Furthermore, we have that PrFI(·,K₇′)(∆b→∆c) is 2−15for

each of 9600 satisfying values forK₇′, 2−14 for each of 2432 satisfying values for K₇′, and

6

216 ≈2−13.42 for each of 128 satisfying values forK₇′.

In summary, there are approximately 2102.57 weak keys satisfying Conditions (1)–(12), and the 7-round related-key diﬀerential ∆α → ∆β has a minimum probability of 2−58 under a weak key (KA, KB). In particular, we have the following result.

Proposition 1. In the class of 2102.57 weak keys satisfying Conditions (1)–(12),

1. there are 216 _{possible values for}_K

1, 216 possible values forK3, and 216 possible values for K5;

2. there are225.57 possible values for(K6, K7, K8); in particular there are a total of213.57 possible values for K₇′, and for every possible value ofK₇′ there are 212 possible values for (K₆′, K8);

3. there are a total of 28 possible values for K₂′_,₈₋₁₆, 216 possible values for K₃′, and 28

possible values for K₄′_,₈₋₁₆, where K₂′_,₈₋₁₆ denotes bits (8,· · ·,16) of K₂′ and K₄′_,₈₋₁₆ denotes bits(8,· · ·,16) of K₄′;

4. PrFI(·,∀K₇′)(∆b→∆c)≥2−15,PrFI(·,∀K₂′)(∆c→∆c) = 2−15.

3.4 Attacking the Full MISTY1 under the Class of 2102.57 Weak Keys

The 7-round related-key diﬀerential with probability 2−58_{can be used to conduct a}

related-key diﬀerential attack on the full MISTY1 when the user related-key used is a weak related-key from the class of 2102.57 weak keys.

Preliminary Results. We ﬁrst concentrate on the propagation of the input diﬀerence

α(= b||032||c) of the 7-round diﬀerential through the preceding Round 1, including the

FL1 and FL2 functions, under (KA, KB); see Fig. 3.

Under (KA, KB), by the key schedule of MISTY1 we have

∆KO11=∆K1= 0, ∆KO12=∆K3 = 0, ∆KO13=∆K8= 0, ∆KO14=∆K5 = 0,

∆KI11=∆K6′ =c, ∆KI12=∆K2′ = 0, ∆KI13=∆K4′ = 0, ∆KL1 =∆(K1||K7′) = 0, ∆KL2 =∆(K3′||K5) = 0.

As depicted in Fig. 3, the right half ofαis (016||c), so theFI11function has a zero input

diﬀerence; however since ∆KO11 = 0 and ∆KI11 = c, the output diﬀerence of FI11 is b

(9)

inFI12 has an input diﬀerence a||02, and we assume its output diﬀerence isA ∈ {0,1}9;

the S7 function inFI12has a zero input and output diﬀerence. The second S9 function in

FI12 has an input diﬀerenceA, and we assume its output diﬀerence isB ∈ {0,1}9. As a

result, theFI12function has an output diﬀerenceX = (Trunc(A)||(B⊕(02||Trunc(A)))).

A simple computer programming reveals that Trunc(A) can take all 27 possible values, and thus we assume thatX can take all values in{0,1}16.

Since the input diﬀerence of theFI13function is 09||a, the ﬁrst S9 function inFI13 has

a zero input diﬀerence. The S7 function inFI13 has an input diﬀerencea, and we assume

its output difference is D ∈ {0,1}7, which can take only 26 possible values. The second S9 function in FI13 has an input difference 02||a, and we assume its output difference is E∈ {0,1}9. Consequently, theFI13function has an output difference Y = ((a⊕D)||(E⊕

(02||(a⊕D)))), and it can take about 215values in{0,1}16; we denote the set of 215values bySd.

TheFL1 function has an output diﬀerence (016||c), so its input diﬀerence can only be

of the form

32bits

z }| {

00?0000000000000||00?0000000000000, which will be denoted byη = (ηL, ηR)

in the following descriptions, where the question marker “?” represents an indeterminate bit; and when the first question marker takes a zero value, the second question marker can take only 1, that is η has only three possible values, (The specific form depends on the values of the two subkey bitsK1,3 and K7′,3). TheFL2 function has an output difference

(X⊕c)||(X⊕Y⊕(09||a)), so its input diﬀerence is indeterminate, denoted by “?” in Fig. 3. From the above analysis we can see that the subkeys KI121 and KI131 do not aﬀect

the values ofXandY, and thus they are not required when checking whether a candidate plaintext pair generates the input diﬀerence α = (b||032||c) of the 7-round related-key diﬀerential. Further, as K₃′ =FI(K3, K4), K4′ =FI(K4, K5), K6′ =FI(K6, K7) and K7′ =

FI(K7, K8), we have the following result.

Proposition 2. Only the subkeys(K1, K2′,8−16, K3, K4, K5, K6, K7, K8)are required when checking whether a candidate plaintext pair produces the input diﬀerenceα = (b||032_||_c₎ _of the 7-round related-key diﬀerential.

Attack Procedure. We ﬁrst precompute two hash tables T1 and T2. Observe that from the left halves of a pair of plaintexts we only need (K1, K3, K2′,8−16) when computing the

output diﬀerence X of the FI12 function and only need (K1, K6′, K7′, K8, K4′,8−16) when

computing the output diﬀerenceY of theFI13 function. To generateT1 andT2, we do the

following procedure under every 32-bit valuex= (xL||xR).

1. For every possibleK1:

(a) Compute Z = (xL∩K1)⊕((xL⊕ηL)∩K1)⊕ηR, and proceed to the following

steps only when Z =c.

(b) For every possible (K3, K2′,8−16), compute the output diﬀerence ofFI12 asX.

2. Store all satisfying (K1, K3, K2′,8−16) into TableT1 indexed by (x, η, X).

3. For every possibleK₇′:

(a) Compute W =ηL⊕(((xL∩K1)⊕xR)∪K7′)⊕(((xL∩K1)⊕xR⊕c)∪K7′), and

proceed to the following steps only when W = 0.

(b) For every possible (K₆′, K8, K4′,8−16), compute the output diﬀerence ofFI13 asY.

4. Store the values of (K6, K7, K8) corresponding to all satisfying (K6′, K7′, K8) into Table T2 indexed by (x, η, Y, K1, K4′,8−16).

(10)

⊕ ⊕

∩ ∪

K₁

K′ 7

⊕ ⊕

S9 ⊕ S7 ⊕ ⊕

⊕ S₉ ⊕

∆KI112 = 0

∆KI_{111 =}a K₁

⊕ ⊕

S9 ⊕ S7 ⊕ ⊕

⊕ S9 ⊕

KI₁₂₂

KI₁₂₁ K₃

⊕ ⊕

S9 ⊕ S7 ⊕ ⊕

⊕ S9 ⊕

KI₁₃₂

KI₁₃₁ K₈

⊕

K₅ ⊕

⊕ ⊕

∩ ∪

K′ 3

K₅

η=

32bits

z }| {

00?0000000000000||00?0000000000000 ?

b X

c

0

b||016 016||_c

09||a X⊕(09||a)

Y X⊕(09||a) X⊕Y⊕(09||a)

016

||c ₍_X_⊕_c₎_||₍_X_⊕_Y_⊕₍₀9

||a))

S9 ⊕ S7 ⊕ ⊕

⊕ S9 ⊕

KI₁₂₂

KI₁₂₁

X= (Trunc(A)||(B⊕(02||Trunc(A)))) 0

a||02 A A

0

Trunc(A)

B S9 ⊕ S7 ⊕

⊕

⊕ S9 ⊕

KI₁₃₂

KI₁₃₁

Y= ((a⊕D)||(E⊕(02||(a⊕D)))) 0

a

D 02||a

E a⊕D

0

Fig. 3.Propagation ofαthrough the inverse of Round 1 withFL1 andFL2

216×28×2−16= 223satisfying values for (K1, K3, K2′,8−16) inT1. The precomputation for T1 takes about 232×3×216×216×28 ≈273.59FIcomputations, andT1requires a memory of about 224×232×3×216×16+16+8₈ ≈275.91 bytes. There are 213.57 possible values for

K₇′, 212possible values for (K₆′, K8), 28 possible values forK4′,8−16, and 215possible values

forY. For a ﬁxed (x, η, Y, K1, K4′,8−16), on average there are 213.57×2−1×212×2−15 =

29.57 satisfying values for (K₆′, K₇′, K8) in T2. The precomputation for T2 takes about

232×3×216×213.57×212×28×2≈284.16 FIcomputations, and T2 requires a memory of about 29.57×232×3×215×216×28×6≈284.74 bytes. Note that we can use several tricks to optimise the procedure to reduce the computational complexity for generating the two tables, but anyway it is negligible compared with the computational complexity of the following online attack procedure.

We devise the following attack procedure to break the full MISTY1 when a weak key is used.

1. Initialize zero to an array of 295.57 counters corresponding to all the 295.57 possible values for (K1, K2′,8−16, K3, K4, K5, K6, K7, K8).

2. Choose 260 ciphertext pairs (C, C∗ =C⊕(032||c||016)). In a chosen-ciphertext attack scenario, obtain the plaintexts for the ciphertexts C, C∗ under KA, KB, respectively,

and we denote by P = (P LL||P LR, P RL||P RR) the plaintext for ciphertext C

en-crypted under KA, by P∗ = (P L∗L||P L∗R, P R∗L||P R∗R) the plaintext for ciphertextC∗

encrypted underKB.

3. Check whether a plaintext pair (P, P∗) meets the condition (P LL||P LR)⊕(P L∗_L||P L∗_R)

=η by ﬁrst checking the 30 bit positions with a zero diﬀerence and then checking the remaining two bit positions. Keep only the satisfying plaintext pairs.

4. For every remaining plaintext pair (P, P∗), do the following sub-steps. (a) Guess a possible value for (K₃′, K5), and compute (X, Y) such that

(X⊕c)||(X⊕Y ⊕(09||a)) =FL(P RL||P RR, K3||′ K5)⊕FL(P R∗L||P R∗R, K3||′ K5).

Execute the next steps only if Y ∈ Sd; otherwise, repeat this step with another

(11)

(b) Access TableT1 at entry (P LL||P LR, η, X) to get the satisfying values for (K1, K3, K₂′_,₈₋₁₆).

(c) For each satisfying value for (K1, K3, K2′,8−16), retrieve K4 from the equation K₃′ = FI(K3, K4), compute K4′ = FI(K4, K5), and access Table T2 at entry

(P LL||P LR, η, Y, K1, K4′,8−16) to get the satisfying values for (K6, K7, K8).

(d) Increase 1 to each of the counters corresponding to the obtained values for (K1, K₂′_,₈₋₁₆, K3, K4, K5, K6, K7, K8).

5. For a value of (K1, K2′,8−16, K3, K4, K5, K6, K7, K8) whose counter number is equal

to or larger than 3, exhaustively search the remaining 7 key bits with two known plaintext-ciphertext pairs. If a value of (K1, K2,· · ·, K8) is suggested, output it as the

user key of the full MISTY1.

Attack Complexity. The attack requires 260×2 = 261 chosen ciphertexts. In Step 3, only 260×2−30× 3₄ ≈ 229.58 palintext pairs are expected to satisfy the condition, and it takes about 260 memory accesses to obtain the satisfying palintext pairs. Step 4(a) has a time complexity of about 229.58×216×216×2 = 262.58FLcomputations. In Step 4(b), for a plaintext pair and a possible value for (K₃′, K5), on average we obtain 223possible values for

(K1, K3, K2′,8−16), as discussed in the procomputation phase; due to the ﬁltering condition

in Step 4(a), Step 4(b) has a time complexity of about 229.58× 2₂1516 ×232×223 = 283.58 memory accesses (if conducted on a 64-bit computer). In Step 4(c), for a plaintext pair and a possible value for (K1, K3, K5, K2′,8−16, K3′), on average we obtain 29.57 possible values

for (K6, K7, K8), (as discussed in the procomputation phase), thus Step 4(c) has a time

complexity of about 228.58×232 ×223×29.57 = 293.15 memory accesses. Step 4(d) has a time complexity of about 293.15 _×_{2 = 2}94.15 _{memory accesses, where the factor “2”}

represents that a single operation requires two memory accesses when conducted on a 64-bit computer.

The probability that the counter for a wrong (K1, K2′,8−16, K3, K4, K5, K6, K7, K8) has

a number equal to or larger than 3 is approximately∑2_i₌₃60[(260_i )·(2−64)i·(1−2−64)260−i]≈ 2−14.67. Thus, it is expected that there are a total of 295.57×2−14.67= 280.9 wrong values of (K1, K2′,8−16, K3, K4, K5, K6, K7, K8) whose counters have a number equal to or larger

than 3. Thus it requires 280.9 ×27+ 280.9×27×2−64 ≈ 287.9 trial encryptions to check them in Step 5. In Step 5, a wrong value of (K1, K2,· · ·, K8) is suggested with probability

2−64×2 = 2−128, so the number of suggested values for (K1, K2,· · ·, K8) is expected to

be 287.9×2−128 = 2−40.1, which is rather low. Thus, the time complexity of the attack is dominated by Steps 4(c), 4(d) and 5. On a general 64-bit personal computer (with Intel Xeon Processor E5630 running on Ubuntu 10.04), we check that a full encryption using an optimised MISTY1 implementation twice as fast as the one given in [37] by the cipher designer equals about 212 _{memory accesses in terms of time. Therefore, the attack has}

a total time complexity of about 293.15×2−12+ 294.15×2−12+ 287.9 ≈ 287.94 MISTY1 encryptions.

The counter for the correct key has an expected number of 260×2−58 = 4, and the probability that the counter for the correct key has a number equal to or larger than 3 is approximately ∑2_i₌₃60[(260_i )·(2−58₎i_·₍₁₋₂−58₎260−i_]_≈ ₀_._{76. Therefore, the related-key}

diﬀerential attack has a success probability of 76%.

(12)

3.5 Another Class of 2102.57 _{Weak Keys}

In the above sub-sections we have described a class of 2102.57_{weak keys and a related-key}

differential attack on the full MISTY1 under a weak key. However, we observe that there exists another class of 2102.57 weak keys under which similar results hold. The new weak key class is obtained by settingK₇′_,₃= 1, which is further classified into two sub-classes by the possible values of the subkey bit K1,3. This will affect only the FL10 function in the

7-round related-key differential, but the output difference ofFL10 will be fixed onceK1,3

is given, that is, the right half of the output diﬀerence of the resulting 7-round related-key diﬀerential will be c||c when K1,3 = 1, and 016||c when K1,3 = 0. Thus, by choosing

a number of ciphertext pairs with a corresponding diﬀerence we can conduct a similar attack on the full MISTY1 under every sub-class of weak keys. In total, we have 2103.57 weak keys under which a related-key diﬀerential attack can break the full MISTY1.

4 292 _{Weak Keys of the Full MISTY1 for a Related-Key Ampliﬁed}

Boomerang Attack

In this section, we ﬁrst review Chen and Dai’s class of 290 weak keys and their 7-round related-key ampliﬁed boomerang distinguisher with probability 2−118_{. Next, we describe}

a slight improvement to Chen and Dai’s 7-round related-key ampliﬁed boomerang dis-tinguisher, which has a probability of 2−116, and then present a related-key ampliﬁed boomerang attack on the full MISTY1 under the class of 290 _{weak keys. Finally, we}

de-scribe three other classes of 290 weak keys under which there exist similar results.

4.1 A Class of 290 Weak Keys due to Chen and Dai

First deﬁne the same three constantsa, b, c as used in Section 3.1, that is a 7-bit constant

a= 0010000, a 16-bit constant b = 0010000000010000, and another 16-bit constant c = 0010000000000000, all in binary notation.

LetKA, KB, KC, KD be four 128-bit user keys deﬁned as follows:

KA= (K1, K2, K3, K4, K5, K6, K7, K8), KB = (K1, K2∗, K3, K4, K5, K6, K7, K8), KC = (K1, K2, K3, K4, K5, K6∗, K7, K8), KD = (K1, K2∗, K3, K4, K5, K6∗, K7, K8).

By the key schedule of MISTY1 we can get the corresponding eight 16-bit words for

KA, KB, KC, KD, which are denoted as follows.

K_A′ = (K₁′, K₂′, K₃′, K₄′, K₅′, K₆′, K₇′, K₈′), K_B′ = (K₁′∗, K₂′∗, K₃′, K₄′, K₅′, K₆′, K₇′, K₈′), K_C′ = (K₁′, K₂′, K₃′, K₄′, K₅′∗, K₆′∗, K₇′, K₈′), K_D′ = (K₁′∗, K₂′∗, K₃′, K₄′, K₅′∗, K₆′∗, K₇′, K₈′).

Then, the class of weak keys is deﬁned to be the set of all possible values for (KA, KB,

KC, KD) that satisfy the following 12 conditions, whereK5,3 denotes the 3-rd bit of K5,

and similar forK5,12, K4′,3, K7,3, K7,12, K8,3.

K2⊕K2∗=c; (13)

(13)

K₁′ ⊕K₁′∗=b; (15)

K₅′ ⊕K₅′∗=b; (16)

K₂′ ⊕K₂′∗=c; (17)

K₆′ ⊕K₆′∗=c; (18)

K5,3 = 1; (19)

K5,12= 0; (20)

K₄′_,₃ = 0; (21)

K7,3 = 1; (22)

K7,12= 0; (23)

K8,3 = 0. (24)

Now let us analyse the number of the weak keys. First observe that when Condition (13) holds, then Condition (15) holds with certainty; when Condition (14) holds, Condition (16) holds with certainty.

Note that K₂′ =FI(K2, K3), K2′∗ =FI(K2∗, K3), K4′ = FI(K4, K5), K6′ = FI(K6, K7), K₆′∗=FI(K₆∗, K7). By performing a computer search, we get

|{(K2, K3)|Conditions (13) and (17)}|= 216; |{(K4, K5)|Conditions (19),(20) and (21)}|= 229; |{(K6, K7)|Conditions (14),(18),(22) and (23)}|= 214.

Therefore, Chen and Dai [9] got that there are a total of 290 possible values for KA

satisfying the above 12 conditions, and thus there are 290 weak keys.

4.2 Chen and Dai’s 7-Round Related-Key Ampliﬁed Boomerang

Distinguisher

We now describe Chen and Dai’s related-key ampliﬁed boomerang distinguisher for Rounds 1–7 under the class of 290 weak keys (KA, KB, KC, KD) described in Section 4.1.

The first related-key differential∆α→∆βfor this distinguisher is the 2-round related-key differential (048_||_b₎_→₍₀32_||_c_||₀16_{) with probability 1 for Rounds 1–2 under (}_K

A, KB)

or under (KC, KD), where 048 represents a binary string of 48 zeros and so on. The

second related-key diﬀerential ∆γ → ∆δ for this distinguisher is the 5-round related-key diﬀerential (048_||_b₎ _→ _{0 with probability 2}−27 _{for Rounds 3–7 under (}_K

A, KC) or under

(KB, KD). In Fig. 6 in Appendix A we illustrate the two related-key diﬀerentials in detail,

whereR4,3 denotes the 3-rd bit ofR4 (the right half of the output of Round 4), and R4,12

denotes the 12-th bit ofR4.

Consequently, Chen and Dai obtained a 7-round related-key ampliﬁed boomerang dis-tinguisher with probability 12×(2−27)2×2−64= 2−118under a weak key (KA, KB, KC, KD).

As a result, they presented an attack on 8-round MISTY1 without the last two FL func-tions, by conducting a key recovery onFO8 (in a way similar to the early abort technique

used in [32]).

4.3 An Improved 7-Round Related-Key Ampliﬁed Boomerang Distinguisher

First focus on the FI73 function in the second related-key diﬀerential ∆γ → ∆δ used

in Chen and Dai’s 7-round distinguisher, where the probability is 2−16. Observe that

KI73=K2′ orK2′∗, depending on which pair from a quartet is considered. Chen and Dai

(14)

what we mention in Section 3.3, we should make sure that a weak key (KA, KB, KC, KD)

should also satisfy the condition that the diﬀerential∆c→∆cis a possible diﬀerential for

FI73; otherwise, the diﬀerential∆c→∆c would have a zero probability, and the 7-round

distinguisher would be ﬂawed. Thus, we should put the following two additional conditions when deﬁning a set of weak keys:

PrFI(·,K₂′)(∆c→∆c)>0; (25)

Pr_FI₍_·_,K′∗

2 )(∆c→∆c)>0. (26) After performing a computer programming, we surprisingly ﬁnd that the number of (K2, K3) satisfying Conditions (13),(17),(25) and (26) is equal to the number of (K2, K3)

satisfying Conditions (13) and (17), that is|{(K2, K3)|Conditions (13),(17),(25) and (26)}|

= 216. This means that the class of weak keys satisfying Conditions (13)–(26) is the same as the class of weak keys satisfying Conditions (13)–(24) due to Chen and Dai. But nev-ertheless we find something valuable: For each possibleK₂′ or K₂′∗, there are exactly two pairs of inputs toFI73which follow the differential∆c→∆c, that is to say, the differential ∆c→ ∆c forFI73 has a probability of 2−15, twice as large as the probability value used

by Chen and Dai.

Therefore, the second related-key diﬀerential∆γ →∆δused in Chen and Dai’s 7-round distinguisher actually has a probability of 2−26_{, and the resulting 7-round distinguisher}

has probability 12×(2−26)2×2−64= 2−116 under a weak key (KA, KB, KC, KD).

Particularly we have the following result.

Proposition 3. In the class of 290 weak keys satisfying Conditions (13)–(26),

1. there are 216 possible values forK1, 214 possible values forK5, and 215 possible values for K8;

2. there are 214 possible values for(K6, K7); in particular there are a total of213 possible values for K7, and for every possible value of K7 there are 2 possible values for K6; 3. there are a total of 216 possible values for K₃′;

4. PrFI(·,∀K₂′)(∆c→∆c) = PrFI(·,∀K₂′∗)(∆c→∆c) = 2−15.

4.4 Attacking the Full MISTY1 under the Class of 290 Weak Keys

We devise a related-key ampliﬁed boomerang attack on the full MISTY1 under a weak key from the weak key class, basing it on the 7-round related-key ampliﬁed boomerang distinguisher with probability 2−116.

Preliminary Results. First concentrate on the propagation of the output diﬀerence

δ(= 0) of the 7-round distinguisher through the following Round 8, including theFL9 and

FL10 functions, under (KA, KC) or under (KB, KD); see Fig. 4.

Under (KA, KC), by the key schedule of MISTY1 we have

∆KO81=∆K8= 0, ∆KO82=∆K2 = 0, ∆KO83=∆K7= 0, ∆KO84=∆K4 = 0,

∆KI81=∆K5′ =b, ∆KI82=∆K1′ = 0, ∆KI83=∆K3′ = 0, ∆KL9 =∆(K5||K3′) = 0, ∆KL10=∆(K7||′ K1) = 0.

Since δ = 0, the FI81 and FI82 functions both have a zero input diﬀerence. The ﬁrst

S9 and S7 in FI81 both have a zero input diﬀerence, however, as ∆KI81 = b we know

(15)

⊕ ⊕

K₈

FI81 ⊕ ⊕ ∆K_{2 = 0}

FI82 ⊕ ⊕ K

7

FI83

⊕

⊕ ⊕

∩ ∪

K₅

K′ 3

⊕ ⊕

∩ ∪

K′ 7

K₁

0 ₀

∆K′

5=b ∆ K′

1= 0 K′ 3 0

0 0 0 Y

0

⊕

K₄

S9 ⊕ S7 ⊕ ⊕

⊕ _S9 ⊕

∆K I_{812 = (0}2||a)

∆K I_{811 =}a 0

0 a

X

a||X Y ⊕(a||X)

Y ⊕(a||X)

a||X

a||X a||X

0

0 a

?

Fig. 4.Propagation ofδthrough Round 8 withFL9 andFL10

function has a form ofa||X, where X ∈ {0,1}9 can take only 28 possible values, and we denote by Sa the set of the 28 possible values forX. Since ∆KO82 = 0 and ∆KI82 = 0,

theFI82 function has a zero output diﬀerence. Since∆KO83= 0, the FI83 function has

an input diﬀerencea||X. We assume the output diﬀerence for FI83 is Y. Then, the FO8

function has an output diﬀerence (a||X)||(Y ⊕(a||X)), so theFL9 function has an input

difference (a||X)||(Y⊕(a||X)), but its output difference is indeterminate (Denoted by the question marker in Fig. 4). TheFL10 function has a zero input and output difference.

The same results hold for the propagation of δ under (KB, KD); note that X and Y

under this case may take a diﬀerent value from that case under (KA, KC).

Finally, since theFI82function has a zero input and output diﬀerence, by the structure

of the FO function we observe that only the subkeys (K1, K3′, K5, K5′, K5′∗, K7, K7′, K8)

are required when checking whether a candidate quartet consisting of two ciphertext pairs produces the output diﬀerence δ = 0 of the 7-round distinguisher. Since K₅′ =

FI(K5, K6), K5′∗=K5′ ⊕b and K7′ =FI(K7, K8), we have the following result.

Proposition 4. Only the subkeys (K1, K3′, K5, K6, K7, K8) are required when checking whether a candidate quartet consisting of two ciphertext pairs satisﬁes the output diﬀerence δ= 0 of the 7-round distinguisher.

Attack Procedure. First we precompute two hash tables T1 and T2, as follows.

TableT1. Note that KI81 =K5′ orK5′∗(= K5′ ⊕b), KO83 =K7, andKI83=K3′. Under

every possible (K₃′, K₅′, K7), we compute (∆µ, ∆ν) for every x= (xL||xR) ∈ {0,1}32,

as follows.

µ= FI81(xL, K5′)⊕FI81(xL, K5′ ⊕b), ν = FI83(FI81(xL, K5′)⊕XR⊕K7, K3′)⊕

FI83(FI81(xL, K5′ ⊕b)⊕XR⊕K7, K3′).

By the structure of FI, we know the left 7 bits of µ must be a, and µ has the form

a||X, that is µ = (a||X), where X ∈ Sa, where Sa is deﬁned above. For a ﬁxed

(K₃′, K₅′, K7, µ, ν), on average there are 232×2−8×2−16= 28 satisfying values for x.

We store the satisfying values ofxinto tableT1indexed by the value (K₃′, K₅′, K7, X, ν).

There are 216 possible values for K₃′, at most 216 possible values for K₅′, 213 possible values forK7, 28 possible values forµ, and 216possible values forν, thus this

(16)

TableT2. Under every possible (K1, K7′, K8), we computeλ= (K8||016)⊕FL−101(x, K7′||K1)

for eachx∈ {0,1}32. There are 216possible values forK1, 213possible values forK7, 215

possible values forK8, and 216 possible values for K7′. Note thatK7 =FI−1(K7′, K8).

For a ﬁxed (x, λ, K7), on average there are 216×215×2−32= 0.5 satisfying values for

(K1, K7′, K8); for a ﬁxed (K1, K7, K8), there are 232 satisfying (x, λ). We make table T2 in the following manner:

For every possibleK7:

For every possible (K1, K8):

– Compute K₇′ =FI(K7, K8).

– Find all the 232 possible (x, λ) such thatλ= (K8||016)⊕FL−₁₀1(x, K₇′||K1).

– Store (K1, K8) into TableT2 indexed ﬁrst byK7 and then by (x, λ).

– Set a binary marker with two possible statuses, “up” and “down”, to the set of 232tuples (K7, K1, K8, x, λ). The marker’s initial status is down.

That is, for a K7, there are 231 markers corresponding to the 231 possible values of

(K1, K8); and 232 diﬀerent (x, λ) that work under the same (K7, K1, K8) share the

same marker. T2 requires a memory of about 213×216×215×232×4 = 278 bytes. This precomputation has a time complexity of about 213×216×215×232= 276FL−1

computations.

Now we can give the following attack procedure to break the full MISTY1.

1. Initialize zero to an array of 275 counters corresponding to all the 275 possible values for (K1, K3′, K5, K6, K7, K8).

2. Choose a set of 258.5 plaintext pairs (P, P∗ = P ⊕(048||b)), and another set of 258.5 plaintext pairs (P′, P′∗=P′⊕(048||b)). In a chosen-plaintext attack scenario, obtain the ciphertexts for the plaintexts P, P∗, P′, P′∗ under KA, KB, KC, KD, respectively, and

we denote by C = (CLL||CLR, CRL||CRR) the ciphertext for plaintext P encrypted

underKA, byC∗= (CL∗_L||CL∗_R, CR_L∗||CR∗_R) the ciphertext for plaintextP∗ encrypted

underKB, byC′ = (CL′L||CL′R, CR′L||CR′R) the ciphertext for plaintextP′ encrypted

under KC, and by C′∗ = (CL′∗L||CL′∗R, CR′∗L||CR′∗R) the ciphertext for plaintext P′∗

encrypted underKD.

3. Check whether a candidate quartet (C, C∗, C′, C′∗) meets both the following conditions by storing the ciphertext pairs (C, C∗) and (C′, C′∗) into a hash table indexed by the values CRL||CRR||CR∗_L||CR∗_R and CR′_L||CR′_R||CR′∗_L||CR′∗_R.

(CRL||CRR)⊕(CR′L||CR′R) = 0,(CR∗L||CR∗R)⊕(CR′∗L||CR′∗R) = 0.

Keep only the satisfying quartets.

4. For every remaining quartet (C, C∗, C′, C′∗), do the following sub-steps. (a) Choose all the possible K₃′ satisfying the following conditions:

(CLR∪K3′)⊕CLL⊕(CLR′ ∪K3′)⊕CL′L=a||X′,

(CL∗_R∪K₃′)⊕CL∗_L⊕(CL′∗_R∪K₃′)⊕CL′∗_L =a||X∗,

where X′, X∗ represents two indeterminate 9-bit values, (X′, X∗ can be different for different quartets, but obviously their values are fixed for a given quartet and

K₃′).

(b) For every satisfying K₃′, do as follows.

(17)

C′∗. Let

FL−₉1(CLL||CLR, K5||K3′)⊕FL−91(CL′L||CL′R, K5||K3′)

= a||X′||(Y′⊕(a||X′)),

FL−₉1(CL∗_L||CL∗_R, K5||K₃′)⊕FL−₉1(CL′∗_L||CL′∗_R, K5||K₃′) = a||X∗||(Y∗⊕(a||X∗)),

whereY′, Y∗ represent speciﬁc 16-bit values.

ii. GuessK7; by Proposition 3-(2) we know there are two corresponding values for K6 (for each guessed K7), and we denote them by Ke6 and K6. Then, do the

following four sub-steps. A. Compute

e

K₅′ =FI(K5,Ke6);K′5=FI(K5, K6).

B. For (C, C′), access TableT1 at entry (K₃′,Ke₅′, K7, X′, Y′) to get the possible

32-bit inputs to theFO8 function excluding the XOR operation withKO81.

As discussed earlier, whenX′ ∈ Sa, on average there are 28 possible inputs,

and we denote them byxe1,xe2,· · ·,xe256; when X′ does not belong to Sa we

get no input and go to execute Step 4(b)(ii)(D). Similarly, for (C∗, C′∗), access Table T1 at entry (K₃′,Ke₅′, K7, X∗, Y∗) to get the possible 32-bit

inputs to the FO8 function excluding the XOR operation with KO81, and

we denote them byxe∗₁,xe∗₂,· · ·,xe∗₂₅₆ whenX∗∈ Sa; whenX′ does not belong

toSa there is no input and we execute Step 4(b)(ii)(D).

C. For i = 1,2,· · ·,256, access Table T2 at entry (K7, CLL|| CLR,xei) and

ﬂip the corresponding marker up. For i = 1,2,· · ·,256, access Table T2 at entry (K7, CL∗_L||CL∗_R,ex∗i) and check whether the corresponding marker is

up or down; if it is up, get the corresponding (K1, K8) and increase 1 to the

counter corresponding to the guessed (K1, K3′, K5,Ke6, K7, K8), otherwise

execute the next iteration (Initialize the markers in T2 to be down after ﬁnishing all the 256 iterations).

D. Repeat the above two sub-steps (B) and (C) similarly for the case K′₅. When X′ or X∗ does not belong to Sa, there is no input, and we execute

Step 4(b)(ii) with another guess forK7. (If this sub-step is done, go to Step

4(b)(ii), etc.)

5. For a value of (K1, K3′, K5, K6, K7, K8) whose counter has a non-zero number,

exhaus-tively search the remaining key bits with two known plaintext-ciphertext pairs. If a value of (K1, K2,· · ·, K8) is suggested, output it as the user key of the full MISTY1.

Note that in Step 4(b)(ii) we check the two pairs from a candidate quartet one after the other, instead of checking them simultaneously. This is the early abort technique for the (related-key) rectangle attack, described in [31] as well as in Chapter 4.4 of [30].